While the U-MD investigates how personal info was stolen from more than 300,000 students, alumni and employees, it looks like College Park will have a challenging time sorting out the mess.
COLLEGE PARK, Md. (WUSA) -- Cyber crime has become one of the top priorities for government agencies, companies and universities.
This week, the University of Maryland was the victim of a sophisticated computer security attack.
"Cyber events often take place very quickly, they unfold very quickly," said Matthew Esworthy, a cyber expert and partner at the Shapiro, Sher, Guinot & Sandler law firm.
Esworthy spoke about cyber attacks and security to the American Bar Association on Friday, just two days after more than 300,000 student and employee records were compromised at U-MD.
The school has issued a statement assuring, "We have been working around the clock to ensure the breach has been contained and that other data systems are protected... no financial, academic, health or contact information was accessed."
What was accessed included names, birthdays and social security numbers - information that every company and university has a legal obligation to protect.
Beyond that obligation, 46 states, including Maryland, have further laws in place that direct those who experience a breach on what to do, when authorities have to be notified by, how to an entity has to notify individuals or groups of people who have had their information compromised and the very definition of what personal information is, which differs from state to state.
"Every state is slightly different. So, in a case like the University of Maryland data breach, they do have some problem in terms of notifying every student from every state in the proper manner," said Esworthy.
He added that all the different students, from the different states with the different laws could cause a legal headache for College Park.
But he also noted that, at least up to this point, "Maryland has done what appears to be a very good job of getting [information] out there quickly - within 24 hours of discovering this."
The university is offering free credit protection services for everyone affected - students, alumni, faculty, staff and employees contracted with U-MD.
The university has done this, said Esworthy, while trying to find the hacker, which can be difficult considering there is no typical profile for a hacker. "It could be they're after something specific and they want the personal information of a former alum and they had to get a group in order to get that information, it could be they're a bored high school kid in their bedroom and they wanted to have some fun," explained Esworthy.
A breach could stem from something as simple as human error or as complex as a sophisticated hacker meeting a vulnerable security system. The university has said that they believe the person(s) who hacked into their computer system operated at an advanced level.
But Esworthy stressed that however it happens, whoever does it and whatever is compromised, with hacking techniques and technologies constantly evolving security breaches have become a fact of life.
"It's a huge issue and it's only going to get bigger," he said.
University police is working with the secret service on the breach investigation.